Ransomware: Time for a HIPAA Update?

The recent surge in ransomware attacks on hospitals has at least one member of Congress contemplating whether HIPAA's breach notification requirements need to be clarified or updated to reflect the trend.

"New cyber threats require Congress to vigilantly review and update the laws already on the books," says Rep. Ted Lieu, D-Calif, in a statement provided to Information Security Media Group. "As ransomware attacks against hospitals become more frequent, it is critical for patients to know when their records are being held hostage and for the government to understand the scope of the problem. I am actively exploring legislation to achieve that transparency."

Lieu also told news outlet Bloomberg on March 23, "Right now under federal law, there's no requirement that a hospital has to report they've suffered a ransomware attack."

HIPAA Provisions

But a spokesman for the Department of Health and Human Services' Office for Civil Rights says in a statement provided to ISMG that some such attacks already are reportable under HIPAA.

"Because it is considered to be a 'disclosure' if access has been provided, without regard to whether or not the information actually was accessed or viewed - and hackers using ransomware do have access to the data - an impermissible disclosure has occurred, and notification is presumably required unless a 'low probability of compromise' has been demonstrated," according to the statement. "And 'whether the [PHI] was actually acquired or viewed' is only one of the factors."

The spokesman added: "OCR investigates all reported breaches affecting 500 or more individuals, and may also initiate investigations based on news reports. These investigations may include situations involving ransomware. Further, OCR coordinates with the [HHS] internal cyber breach working group on cyber issues including ransomware, and on specific breaches due to ransomware attacks."

Impact on Patients?

"These attacks really are directed at different kinds of issues - in most situations - than those where [breach] notice makes sense," he says.

"Something like ransomware is a real problem for a hospital, because it makes their records inaccessible and unusable, but I'm not sure there's any particular purpose to notifying every patient who was ever at the hospital about that kind of incident," he says. "There's always a question of what the purpose of notice is. The original purpose of notice laws was in situations where an individual could reasonably take some action - like checking credit reports in the event of a breach involving Social Security numbers where there was a risk of identity theft. For these kinds of attacks, there's nothing for the individual to do, so it's not clear what the purpose of notice would be."

Surging Threat

The uptick in ransomware attacks affecting the healthcare sector started about two years ago, says David Finn, health IT officer at security vendor Symantec.

"We've certainly been seeing a huge resurgence of ransomware, particularly in healthcare," says Finn, who was recently named a member of HHS' new healthcare industry cybersecurity task force that is examining security challenges facing the sector.

"We see ransomware in countries that have stronger economies. Surprisingly, I've seen numbers that up to 40 percent of victims are paying ransoms," he says. "The fact that one hospital in a dire situation paid [a ransom] is sad, but it's indicative of a much larger problem, and I don't think it's going away as long as people can make money."

As for the types of ransomware infecting hospitals lately, "there are a number that are in the wild today, such as Cryptowall, CryptoLocker and Locky," says James Carder, CISO of security services vendor LogRhythm.

"Ransomware is freely available or can be purchased, making it even easier for criminals to access," he notes. "Outside of ransomware, you see other crime packs, exploit kits and tools used by various threat groups. Some of these are customized and others that are basically 'off the shelf' or 'over the counter.' It depends on who the threat actor is and what that person wants to do to the healthcare organization - for example, maintain long-term presence or just hit the organization once."

Call to Action

Meanwhile, Sen. Lamar Alexander, R-Tenn., chairman of the Senate Committee on Health, Education, Labor and Pensions, said the attack on MedStar Health shows the need for the Department of Health and Human Services to immediately implement provisions of the Cybersecurity Information Sharing Act of 2015.

In a March 29 statement, the senator said: "The consequences of cyberattacks like yesterday's hacking at MedStar Health can be catastrophic for America's patients. Imagine an attack leaving doctors unable to access crucial information in a patient's health history or delaying a surgery for hours on end."

The cyber legislation, the senator notes, calls for HHS to "give hospitals and doctors clear information on the best ways to prevent a hack in the first place ... Yesterday's attack, which, unfortunately, is not unique, shows the need for HHS to implement the law with the urgency patients and hospitals deserve."

About the Author

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;